Here is their concern: Encryption uses random bits to encrypt data. Random number generators get their data from entropy pools. Entropy pools gather their data, or unpredictable random noise, from a number of sources: local processes, file access, device access, page hits, keyboard clicks, and mouse movements, to name a few. The noise is broken down into a set of random bits that is then used for encryption.

The researchers claim that servers used in cloud computing do not generate enough random bits because they typically do not have keyboards or mice attached. Adding to the problem is that they tend to be single-use, short-term servers and because of this anomaly, they are not in operation long enough to create strong keys.

If an attacker were to set up their own virtual machine with a cloud provider, they might be able to guess the encryption keys because the entropy pool could be similar. This would greatly reduce the amount of calculations needed to guess the complete key.

I feel the probability of this actually happening is small, partly because the researchers at iSec Partners have not been able to guess an encryption key based on this problem. However, I would not rule it out, since the human mind is endless in its abilities.

I would turn this statement around and say that cloud providers need to demonstrate adequate randomness for their nail-up tear-down environments. You don't mention them, but it is possible to get genuine chip-based random number generators which generate those numbers from thermal noise, etc, and those should be more than adequate for the task without needing to rely on other extraneous input such as mice and keyboards.

So summarising, the question really is: What are cloud providers using to ensure adequate randomness?